Bug 644305

Summary: Password is visible to non-root users
Product: [Fedora] Fedora EPEL Reporter: Andy Shevchenko <andy.shevchenko>
Component: iodineAssignee: Pavel Alexeev <pahan>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: low    
Version: el5CC: lystor, pahan
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: iodine-0.6.0-0.rc1.6.el5 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2010-11-19 22:34:42 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Andy Shevchenko 2010-10-19 11:47:16 UTC 
Description of problem:
The iodine-server and iodine-client files in the /etc/sysconfig are visible by non-root users.
The impact of that is the password leakage.
So, this is kinda security bug.

Version-Release number of selected component (if applicable):
Official EPEL5.
Comment 1 Pavel Alexeev 2010-10-23 17:08:30 UTC 
Firstly thank you for the bugreport.

Most of files in /etc/sysconfig is readable by regular user.
In fact base way provide passwords in command line absolutely is not safe because it potentially accessible through process list. So, change permission on that files nothing does unfortunately.

If you want truly security way you should ask upstream to add f.e. PKI support, or at least (by example VNC) - support read password from provided file.
Comment 2 Andy Shevchenko 2010-10-25 06:58:02 UTC 
We are talking about the iodine(d) itself. The others have their own issues.

So, iodine(d) has no security problems with the password visibility (check process tree please) until you introduced the wrong permissions to the file.
Comment 3 Fedora Update System 2010-11-11 05:57:13 UTC 
iodine-0.6.0-0.rc1.6.el5 has been submitted as an update for Fedora EPEL 5.
https://admin.fedoraproject.org/updates/iodine-0.6.0-0.rc1.6.el5
Comment 4 Fedora Update System 2010-11-11 06:08:07 UTC 
iodine-0.6.0-0.rc1.6.fc12 has been submitted as an update for Fedora 12.
https://admin.fedoraproject.org/updates/iodine-0.6.0-0.rc1.6.fc12
Comment 5 Fedora Update System 2010-11-11 06:12:51 UTC 
iodine-0.6.0-0.rc1.6.fc13 has been submitted as an update for Fedora 13.
https://admin.fedoraproject.org/updates/iodine-0.6.0-0.rc1.6.fc13
Comment 6 Fedora Update System 2010-11-11 16:38:39 UTC 
iodine-0.6.0-0.rc1.6.el5 has been pushed to the Fedora EPEL 5 testing repository.  If problems still persist, please make note of it in this bug report.
 If you want to test the update, you can install it with 
 su -c 'yum --enablerepo=updates-testing update iodine'.  You can provide feedback for this update here: https://admin.fedoraproject.org/updates/iodine-0.6.0-0.rc1.6.el5
Comment 7 Fedora Update System 2010-11-19 22:34:22 UTC 
iodine-0.6.0-0.rc1.6.fc12 has been pushed to the Fedora 12 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 8 Fedora Update System 2010-11-19 22:38:23 UTC 
iodine-0.6.0-0.rc1.6.fc13 has been pushed to the Fedora 13 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 9 Fedora Update System 2010-11-26 16:58:19 UTC 
iodine-0.6.0-0.rc1.6.el5 has been pushed to the Fedora EPEL 5 stable repository.  If problems still persist, please make note of it in this bug report.